Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Attias v. CareFirst, Inc.

United States Court of Appeals, District of Columbia Circuit

August 1, 2017

Chantal Attias, individually and on behalf of all others similarly situated, et al., Appellants
v.
CareFirst, Inc., doing business as Group Hospitalization and Medical Services, Inc., doing business as CareFirst of Maryland, Inc., doing business as CareFirst BlueCross BlueShield, doing business as CareFirst BlueChoice, Inc., et al., Appellees

          Argued March 31, 2017

         Appeal from the United States District Court for the District of Columbia (No. 1:15-cv-00882)

          Jonathan B. Nace argued the cause for appellants. With him on the briefs was Christopher T. Nace.

          Marc Rotenberg and Alan Butler were on the brief for amicus curiae Electronic Privacy Information Center (EPIC) in support of appellants.

          Tracy D. Rezvani was on the brief for amicus curiae National Consumers League in support of appellants.

          Matthew O. Gatewood argued the cause for appellees. With him on the briefs was Robert D. Owen.

          Andrew J. Pincus, Stephen C.N. Lilley, Kathryn Comerford Todd, Steven P. Lehotsky, and Warren Postman were on the brief for amicus curiae The Chamber of Commerce of the United States of America in support of appellees.

          Before: Tatel, Griffith, and Millett, Circuit Judges.

          OPINION

          GRIFFITH, CIRCUIT JUDGE

         In 2014, health insurer CareFirst suffered a cyberattack in which its customers' personal information was allegedly stolen. A group of CareFirst customers attributed the breach to the company's carelessness and brought a putative class action. The district court dismissed for lack of standing, finding the risk of future injury to the plaintiffs too speculative to establish injury in fact. We conclude that the district court gave the complaint an unduly narrow reading. Plaintiffs have cleared the low bar to establish their standing at the pleading stage. We accordingly reverse.

         I

         CareFirst and its subsidiaries are a group of health insurance companies serving approximately one million customers in the District of Columbia, Maryland, and Virginia.[1] When customers purchased CareFirst's insurance policies, they provided personal information to the company, including their names, birthdates, email addresses, social security numbers, and credit card information. CareFirst then assigned each customer a subscriber identification number. The companies stored this information on their servers. Allegedly, though, CareFirst failed to properly encrypt some of the data entrusted to its care.

         In June 2014, an unknown intruder breached twenty-two CareFirst computers and reached a database containing its customers' personal information. CareFirst did not discover the breach until April 2015 and only notified its customers in May 2015. Shortly after the announcement, seven CareFirst customers brought a class action against CareFirst and its subsidiaries in our district court. Their complaint invoked diversity jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d), and raised eleven different state-law causes of action, including breach of contract, negligence, and violation of various state consumer-protection statutes.

         The parties disagree over what the complaint alleged. According to CareFirst, the complaint alleged only the exposure of limited identifying data, such as customer names, addresses, and subscriber ID numbers. According to plaintiffs, the complaint also alleged the theft of customers' social security numbers. The plaintiffs sought to certify a class consisting of all CareFirst customers residing in the District of Columbia, Maryland, and Virginia whose personal information had been hacked. CareFirst moved to dismiss for lack of Article III standing and, in the alternative, for failure to state a claim.

         The district court agreed that the plaintiffs lacked standing, holding that they had alleged neither a present injury nor a high enough likelihood of future injury. The plaintiffs had argued that they suffered an increased risk of identity theft as a result of the data breach, but the district court found this theory of injury to be too speculative. The district court did not read the complaint to allege the theft of social security numbers or credit card numbers, and concluded that "[p]laintiffs have not suggested, let alone demonstrated, how the CareFirst hackers could steal ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.